---
---
<!-- url: install-privs-after -->
<!-- title: After You 安装Magento: Recommended File System Ownership and Privileges -->

<!DOCTYPE html>
<html lang=en>

<head>
    <meta charset=utf-8>

    <link rel="stylesheet" type="text/css" href="{{ site.baseurl }}/common/css/stylesheet.css"/>
    <link rel="stylesheet" href="{{ site.baseurl }}/common/css/stylesheet-fonts.css" type="text/css" charset="utf-8">
    <link rel="icon" href="{{ site.baseurl }}/common/css/favicon.ico" type="image/x-icon">
    <link rel="shortcut icon" href="{{ site.baseurl }}/common/css/favicon.ico" type="image/x-icon">
    <title>After You 安装Magento: Recommended File System Ownership and Privileges</title>

</head>

<body>
<a name="top"></a>
<img src="{{ site.baseurl }}/common/images/m1x/m1xheader.png" width="1024" alt="header" />

<div id="content"> 
<h1>After You 安装Magento: Recommended File System Ownership and Privileges</h1>
<p><a href="{{ site.m1xgithuburl }}guides/m1x/install/installer-privileges_after.html" target="_blank">Edit this page on GitHub <img src="{{ site.baseurl }}/common/images/github_icon.png" height="15px"></a></p>


<div class="toc"> <h4 class="toc">Table of Contents</h4>
<ul><li><a href="#overview">概述</a></li>
<li><a href="#terms">Terminology</a></li>
<li><a href="#privs-after">Setting Privileges and Ownership After You 安装Magento</a></li>
<li><a href="#extensions">Securing Magento Extensions</a></li>
<li><a href="#privs-patches">Applying Magento Support Patches</a></li>
<li><a href="#more-info">For More Information</a></li>
</ul></div>

<h2 id="overview">概述</h2>
<p>In a continuing effort to improve security and ease of use, Magento is updating its recommendations for file system permissions and ownership for the following Magento editions:</p>
<ul><li>Magento Enterprise Edition (EE) versions 1.9 and later</li>
<li>Magento Community Edition (CE) versions 1.4 and later</li></ul>
<p>This article discusses recommended permission and ownership schemes to apply after you install Magento.</p>
<p>The guidelines discussed in this article apply to:</p>
<ul><li>New installations of or upgrades to the previously listed Magento versions only.<br />
The instructions might not work with older versions. If you have already installed Magento, you can optionally change your file system permissions and ownership as discussed in this article.</li>
<li><a href="{{ site.m1xgdeurl }}system-requirements.html" target="_blank">Supported operating systems</a> only</li></ul>
<p>This article discusses the following permission and ownership schemes:</p>
<ul>
<li><a href="#privs-after">安装完成之后</a> for both a hosted Magento server and for a dedicated Magento server (in other words, you have <code>root</code> access on the server).</li>
<li><a href="#extensions">Securing extensions</a>, recommended ownership and privilege settings to apply after you install Magento extensions.<br />
Typically, Magento extensions install with 777 (world-writable) privileges, which is undesirable from a security point of view.</li></ul>

<div class="msg-box important"><img src="{{ site.baseurl }}/common/images/m1x/icon-important.png" alt="important" align="left" width="40"><span><strong>Important</strong>: This topic contains <em>suggestions</em> based on our experience. They are not <em>requirements</em> because we don't know the details of your deployment. Consult your hosting provider, a qualified security specialist, or an experienced system administrator for advice about specific security settings.</span></div>

<h2 id="terms">Terminology</h2>
<p>This article uses the following terminology:</p>
<dl>
<dt>Hosted system</dt>
<dd>A Magento server located on a hosting provider. A <em>hosted</em> system typically does not enable you to elevate to <code>root</code>. The web server typically runs as an ordinary user. Magento assumes you log in as this user to start and stop the web server and that you already own all the files and directories in the Magento installation directory.  You can use <code>chmod</code> to change permissions on files and directories.</dd>
<dt>Dedicated system</dt>
<dd>A Magento server you control and operate. Unlike a hosted system, you can elevate to <code>root</code> and, as <code>root</code>, you can use the <code>chown</code>和<code>chmod</code> commands to set ownership and privileges in the Magento installation directory.</dd>
</dl>

<h2 id="privs-after">Setting Privileges and Ownership After You 安装Magento</h2>
<p>If you have installed Magento, you can set file system privileges and ownership as follows:</p>
<ul><li>For a dedicated Magento server, you set ownership of files and directory as the web server user. You set privileges as 500 (directories) and 400 (files).</li>
<li>For a hosted Magento server on which the web server runs as the logged-in user name, you set privileges as as 500 (directories) and 400 (files).</li></ul>       
<div class="msg-box important"><img src="{{ site.baseurl }}/common/images/m1x/icon-note.png" alt="note" align="left" width="40"><span><strong>注意</strong>: In both hosted and dedicated systems, you set the privileges for the <code>media/</code>和<code>var/</code> directories at 700/600 because they must be writable.</div>

<p>Following is an explanation of the privileges:</p>
<ul><li>500 permissions for directories (<code>dr-x------</code>) gives the web server user read and execute privileges to prevent the accidental deletion or modification of files in the directory. Other users have no access to Magento directories.</li>
<li>400 permissions for files (<code>-r--------</code>) prevent any user (even the web server user) from overwriting files.<br />
This prevents attacks that depend on overwriting existing files with malicious content.</li>
<li>700 permissions (<code>drwx------</code>) for the <code>media/</code>和<code>var/</code> directories give full control (that is, read/write/execute) to the owner and no permissions to anyone else.</li>
<li>600 permissions (<code>-rw-------</code>) for files in the <code>media/</code>和<code>var/</code> directories enable the web server user to write to them and to overwrite them.</li></ul>
<div class="msg-box important"><img src="{{ site.baseurl }}/common/images/m1x/icon-note.png" alt="note" align="left" width="40"><span><strong>注意</strong>: On a dedicated system, all commands discussed in this article must be entered as a user with <code>root</code> privileges. On a hosted system, commands must be entered as the web server user.</div>

<p>To set up ownership and permissions on a dedicated Magento server:</p>
<ol><li><em>Dedicated Magento server only</em>. As a user with <code>root</code> privileges, find the web server user:
<ul><li>Apache:
<ul class="level3"><li>Ubuntu: <code>grep User /etc/apache2/apache2.conf</code></li>
<li>CentOS: <code>grep User /etc/httpd/conf/httpd.conf</code><br />
<div class="msg-box important"><img src="{{ site.baseurl }}/common/images/m1x/icon-note.png" alt="note" align="left" width="40"><span><strong>注意</strong>: The preceding paths are samples only. The paths to these <code>.conf</code> files on your system might be different. You can use the command <code>whereis nginx</code> to find the location of the configuration files.</div></li></ul>
<!-- <pre>ps -o "user group command" -C httpd,apache2</pre>
The value in the USER column is the web server user name.<br /> -->
Typically, the Apache web server user on CentOS is <code>apache</code> and the Apache web server user on Ubuntu is <code>www-data</code>.</li>
<li>nginx: Open the nginx configuration file, typically <code>/etc/nginx/nginx.conf</code>. The <code>user</code> directive specifies the user name. It might run as the Apache user if Apache is installed on the same system.</li></ul>
</li>
<!-- <ul><li>Apache:
<pre>ps -o "user group command" -C httpd,apache2</pre>
The value in the USER column is the web server user name.<br />
Typically, the Apache web server user on CentOS is <code>httpd</code> and the Apache web server user on Ubuntu is <code>apache2</code>.</li>
<li>nginx: Open the nginx configuration file, typically <code>/etc/nginx/nginx.conf</code>. The <code>user</code> directive specifies the user name. It might run as the Apache user if Apache is installed on the same system.</li></ul>
</li> -->
<li>Change to the Magento installation directory.<br />
On CentOS, this is typically <code>/var/www/html/magento</code>. On Ubuntu, it is typically <code>/var/www/magento</code>.</li>
<li><em>Dedicated Magento server only</em>. As a user with <code>root</code> privileges, enter the following command to set ownership of the Magento installation directory and all its subdirectories:
<pre>chown -R <em>web-server-user-name</em> .</pre>
例如， on Ubuntu where Apache usually runs as <code>www-data</code>, enter
<pre>chown -R www-data .</pre></li>
<li>Enter the following commands to set permissions: 
<pre>find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php</pre></li></ol>

<h2 id="extensions">Securing Magento Extensions</h2>
<p>If you set permissions and ownership as discussed in this article, you must change permissions temporarily to be able to use the Magento Connect Manager in the Admin Panel. (<strong>System</strong> > <strong>Magento Connect</strong> > <strong>Magento Connect Manager</strong>). You can still install extensions manually, however; that is beyond the scope of this article.</p>
<p>You can confirm the issue when you access Magento Connect Manager in the Admin Panel. The following error displays on the <strong>Extensions</strong> tab page:</p>
<pre>Warning: Your Magento folder does not have sufficient write permissions.</pre>
<p>To use Magento Connect Manager, you must:</p>
<ol><li>Temporarily set 700/600 permissions on your Magento installation directory and subdirectories.</li>
<li>Install the extension.<br />
Magento Connect Manager typically installs extensions with 777 (world-writable) permissions.</li>
<li>Set permissions back to their recommended values.</li></ol>
<p>In addition, if you have a dedicated Magento server, you should check ownership of files and directories and reset them if necessary. Often, Magento Connect Manager installs extensions with user and group ownership both set to the web server user.</p>

<h3 id="extensions-before">Temporarily Resetting Permissions on Your Magento Installation Directory</h3>
<p>To temporarily set file and directory permissions so you can use Magento Connect Manager:</p>
<ol><li>Change to the Magento installation directory.<br />
On CentOS, this is typically <code>/var/www/html/magento</code>. On Ubuntu, it is typically <code>/var/www/magento</code>.</li>
<li>Enter the following commands:<br />
<pre>find . -type d -exec chmod 700 {} \;
find . -type f -exec chmod 600 {} \;</pre></li>
<li>Install your extension using the Magento Connect Manager.</li></ol>

<h3 id="extensions-after">Restoring the Recommended Permissions</h3>
<p>Enter the commands discussed in this section to return permissions and ownership to their recommended values after you have installed extensions.</p>
<p>To restore Magento installation directory permissions:</p>
<ol><li>Change to the Magento installation directory.<br />
On CentOS, this is typically <code>/var/www/html/magento</code>. On Ubuntu, it is typically <code>/var/www/magento</code>.</li>
<li><em>Dedicated Magento server only</em>. As a user with <code>root</code> privileges, enter the following command to set ownership of the Magento installation directory and all its subdirectories:
<pre>chown -R <em>web-server-user-name</em> .</pre>
例如， on Ubuntu where Apache usually runs as <code>www-data</code>, enter
<pre>chown -R www-data .</pre></li>
<li>Enter the following commands to set permissions:
<pre>find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 700 {} \;</pre></li></ol>

<h2 id="privs-patches">Applying Magento Support Patches</h2>
<p>Magento Support typically provides a shell script to patch various Magento issues. When you run the shell script, file and directory permissions are typically not changed; however, the files provided with the patch are owned by the user who applied the patch. If you have a dedicated Magento server, this is typically <code>root</code>; therefore, after applying the patch, you must change file ownership.</p>
<p>If you are required to apply a patch provided by Magento Support, use the following process:</p>
<ol><li>Get the patch from Magento Support.</li>
<li>Follow the instructions provided with the patch.<br />
Typically, you run a shell script as either a user with <code>root</code> privileges or as the owner of the Magento installation directory.</li>
<li>If you ran the patch as the owner of the Magento installation directory, you're done. File permissions aren't usually changed; however, you should check and reapply file and directory privileges if necessary.</li>
<li>If you ran the patch as a user with <code>root</code> privileges, use the following steps to reset file ownership:
<li><em>Dedicated Magento server only</em>. Find the web server user:
<ul><li>Apache:
<ul class="level3"><li>Ubuntu: <code>grep User /etc/apache2/apache2.conf</code></li>
<li>CentOS: <code>grep User /etc/httpd/conf/httpd.conf</code></li></ul>
<!-- <pre>ps -o "user group command" -C httpd,apache2</pre>
The value in the USER column is the web server user name.<br /> -->
Typically, the Apache web server user on CentOS is <code>apache</code> and the Apache web server user on Ubuntu is <code>www-data</code>.</li>
<li>nginx: Open the nginx configuration file, typically <code>/etc/nginx/nginx.conf</code>. The <code>user</code> directive specifies the user name. It might run as the Apache user if Apache is installed on the same system.</li></ul>
</li>
<li>As a user with <code>root</code> privileges, enter the following command from the Magento installation directory:<br />
<code>chown -R <em>web-server-user-name</em> .</code>
例如， on Ubuntu where Apache usually runs as <code>www-data</code>, enter
<code>chown -R www-data .</code></li></ol> 
</li></ol>

<h2 id="more-info">For More Information</h2>
<p>For more information about UNIX permissions, see the following resources:</p>
<li><a href="http://www.statslab.cam.ac.uk/~eva/unixinfo/perms.html" target="_blank">UNIX File Permissions</a></li>
<li><a href="http://permissions-calculator.org/" target="_blank">Unix Permissions Calculator</a></li>
<li><a href="http://unix.stackexchange.com/questions/39710/how-to-get-permission-number-by-string-rw-r-r" target="_blank">Article on unix.stackexchange</a></li></ul>


</body>
</html>
